Over the past few months there has been an unremitting drumbeat of news stories about vast amounts of data being lost when corporate laptops are stolen. In almost all these cases, the data on the laptop was not encrypted, but that is not the real problem.
The latest example comes from Ernst & Young, which had a laptop stuffed with information about more than 240,000 Hotels.com users stolen. Apparently, this happened a while back, but Ernst & Young did not have the honesty to admit its stupidity publicly until The Register started nosing around.
This is not the only laptop Ernst & Young has let slip through its fingers this year. Earlier, four company laptops were stolen from a conference room while the auditors who were supposed to protect them were off at lunch.
Ernst & Young is hardly alone in its zeal to expose others’ confidential information, then not fess up. There is the marvy case of the Department of Veterans Affairs employee who for years had been taking home disks full of Social Security numbers and other information on veterans (26 million, as it turned out). It took the department weeks to break the news when the data finally was stolen.
These cases are stupid. Doesn’t anyone at these companies read the stories in the papers about the problem of stolen laptops? The problem is best described by Ernst & Young on its Web page on information security: “However, organizations are missing the rare investment opportunities that compliance offers to promote information security as an integral part of their business.” Ernst & Young seems to be a perfect example of what it was talking about.
The problem isn’t that these laptops were not using encryption. The real problem is having Social Security and credit card numbers on laptops.
I see no possible reason for an auditor such as Ernst & Young to ever have Social Security or credit card numbers on a laptop. In any reasonable society this would be illegal. Disclaimer: Harvard, as far as I know, does not teach abject stupidity, so the above rant is mine, not the university’s.